Limrad Nac
Monthly
Stored cross-site scripting in Limatek System Inc.'s LimRAD NAC through version 08072026 allows an adjacent-network, low-privileged attacker to inject persistent malicious scripts that execute in victims' browsers when affected pages are loaded. The CVSS scope change (S:C) confirms that injected script execution crosses into the victim's browser security context, enabling potential session hijacking or credential theft targeting higher-privileged users such as administrators. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the vendor did not respond to TR-CERT's disclosure, leaving no patch available and remediation options limited to compensating controls.
Remote code execution in Limatek System Inc. LimRAD NAC versions prior to 5.5.7.3.9 allows unauthenticated remote attackers to upload dangerous file types and achieve Remote Code Inclusion. The CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) rating reflects an internet-reachable, no-interaction exploitation path against a network access control appliance, though no public exploit identified at time of analysis. The vulnerability was disclosed by TR-CERT and tracked in Turkish national vulnerability advisory TR-26-0366.
Stored cross-site scripting in Limatek System Inc.'s LimRAD NAC through version 08072026 allows an adjacent-network, low-privileged attacker to inject persistent malicious scripts that execute in victims' browsers when affected pages are loaded. The CVSS scope change (S:C) confirms that injected script execution crosses into the victim's browser security context, enabling potential session hijacking or credential theft targeting higher-privileged users such as administrators. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the vendor did not respond to TR-CERT's disclosure, leaving no patch available and remediation options limited to compensating controls.
Remote code execution in Limatek System Inc. LimRAD NAC versions prior to 5.5.7.3.9 allows unauthenticated remote attackers to upload dangerous file types and achieve Remote Code Inclusion. The CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) rating reflects an internet-reachable, no-interaction exploitation path against a network access control appliance, though no public exploit identified at time of analysis. The vulnerability was disclosed by TR-CERT and tracked in Turkish national vulnerability advisory TR-26-0366.